2731712ef1906af20a5eccead8381774dd7b244a00eda7d6251963ae787fd2b3

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RefreshRateService.msi
Size

966KB
MD5

c660910814201ced2a7c0560c008f8f4
SHA1

805b6a7d740b6e9bf12ffa750a33ab7e7bc54778
SHA256

c105e87b1f5d04a4e3818a3747a93a4f4936cd1688b49670a24b4b3e719f46fc
SHA512

bcab8b20a25de65f758574433d5ece69a5a02fdd3df6cb3ddef814f96c7cd132039ae73966d484189796389b939d5a6dcd28fcc754621a3c759328a21c54dda0
SSDEEP

24576:2maHyYiPkLMcMfdTB7yuk3f5BfAJ6svgREp2:2maSYicLXMftBGRE6s+E4

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	4952	msiexec.exe
6	4952	msiexec.exe
8	4952	msiexec.exe
10	4952	msiexec.exe
51	1004	msiexec.exe
52	1004	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RefreshRateService.exe.log	RefreshRateService.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\System.Runtime.WindowsRuntime.dll	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\NotifyArmouryCrate.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\GetMonitorInfo.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Extensions.DLL	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\TurnOD_OnOff.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUS\RefreshRateService\ODControl.dll	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Registry.DLL	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.InstallState	MsiExec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e581a78.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581a78.msi	msiexec.exe
File created	C:\Windows\Installer\e581a7a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7E5E84CB-B190-4658-A4DC-166779C329D1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI217F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2365.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5096	RefreshRateService.exe

Loads dropped DLL 11 IoCs

pid	Process
2736	MsiExec.exe
2736	MsiExec.exe
4868	MsiExec.exe
4868	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
5096	RefreshRateService.exe
5096	RefreshRateService.exe
5096	RefreshRateService.exe
5096	RefreshRateService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4952	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RefreshRateService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="B03F5F7F11D50A3A" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0074005a00580024006f005700740067003f0057004d00400040006a004f0068006700330045006a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Runtime.WindowsRuntime.dll\System.Runtime.WindowsRuntime,Version="4.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKe = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0055007d005e0044005000670033007e005b005d00460027007900330059002800680055007d005e0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|NotifyArmouryCrate.exe\NotifyArmouryCrate,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e003d0077002e00420021004a00330042003800590077002d00760042006d006d006b00720028004f0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Extensions.DLL	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Extensions.DLL\Extensions,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e007800550076006600670040005a006b0037006b0035006c007600240052005e00790073002600300000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|RefreshRateService.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|GetMonitorInfo.exe\GetMonitorInfo,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0027004d00540030002b0063004d00630038006f0055007b0058005d002a002e00660072004700390000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BC48E5E7091B85644ACD6176973C921D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BC48E5E7091B85644ACD6176973C921D\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\PackageCode = "5A1D613C8D491A249AECEFB0A41A127C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Net.Http.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\ProductName = "RefreshRateService"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Registry.DLL	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Version = "33619968"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\PackageName = "RefreshRateService.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Runtime.WindowsRuntime.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|RefreshRateService.exe\RefreshRateService,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e00520077007500600062007a004d0054005a006d002500270066004f0028005e006d0024006900560000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\265A18BA129B58C4BBDD7D829D8AE296	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|NotifyArmouryCrate.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\265A18BA129B58C4BBDD7D829D8AE296\BC48E5E7091B85644ACD6176973C921D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Registry.DLL\Registry,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0037006b00740065006d0047002700740046002c0030006a0041006e0079003000700076006200640000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|GetMonitorInfo.exe	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	msiexec.exe
1004	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4952	msiexec.exe
Token: SeSecurityPrivilege	1004	msiexec.exe
Token: SeCreateTokenPrivilege	4952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4952	msiexec.exe
Token: SeLockMemoryPrivilege	4952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4952	msiexec.exe
Token: SeMachineAccountPrivilege	4952	msiexec.exe
Token: SeTcbPrivilege	4952	msiexec.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeLoadDriverPrivilege	4952	msiexec.exe
Token: SeSystemProfilePrivilege	4952	msiexec.exe
Token: SeSystemtimePrivilege	4952	msiexec.exe
Token: SeProfSingleProcessPrivilege	4952	msiexec.exe
Token: SeIncBasePriorityPrivilege	4952	msiexec.exe
Token: SeCreatePagefilePrivilege	4952	msiexec.exe
Token: SeCreatePermanentPrivilege	4952	msiexec.exe
Token: SeBackupPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeShutdownPrivilege	4952	msiexec.exe
Token: SeDebugPrivilege	4952	msiexec.exe
Token: SeAuditPrivilege	4952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4952	msiexec.exe
Token: SeChangeNotifyPrivilege	4952	msiexec.exe
Token: SeRemoteShutdownPrivilege	4952	msiexec.exe
Token: SeUndockPrivilege	4952	msiexec.exe
Token: SeSyncAgentPrivilege	4952	msiexec.exe
Token: SeEnableDelegationPrivilege	4952	msiexec.exe
Token: SeManageVolumePrivilege	4952	msiexec.exe
Token: SeImpersonatePrivilege	4952	msiexec.exe
Token: SeCreateGlobalPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	4952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4952	msiexec.exe
Token: SeLockMemoryPrivilege	4952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4952	msiexec.exe
Token: SeMachineAccountPrivilege	4952	msiexec.exe
Token: SeTcbPrivilege	4952	msiexec.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeTakeOwnershipPrivilege	4952	msiexec.exe
Token: SeLoadDriverPrivilege	4952	msiexec.exe
Token: SeSystemProfilePrivilege	4952	msiexec.exe
Token: SeSystemtimePrivilege	4952	msiexec.exe
Token: SeProfSingleProcessPrivilege	4952	msiexec.exe
Token: SeIncBasePriorityPrivilege	4952	msiexec.exe
Token: SeCreatePagefilePrivilege	4952	msiexec.exe
Token: SeCreatePermanentPrivilege	4952	msiexec.exe
Token: SeBackupPrivilege	4952	msiexec.exe
Token: SeRestorePrivilege	4952	msiexec.exe
Token: SeShutdownPrivilege	4952	msiexec.exe
Token: SeDebugPrivilege	4952	msiexec.exe
Token: SeAuditPrivilege	4952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4952	msiexec.exe
Token: SeChangeNotifyPrivilege	4952	msiexec.exe
Token: SeRemoteShutdownPrivilege	4952	msiexec.exe
Token: SeUndockPrivilege	4952	msiexec.exe
Token: SeSyncAgentPrivilege	4952	msiexec.exe
Token: SeEnableDelegationPrivilege	4952	msiexec.exe
Token: SeManageVolumePrivilege	4952	msiexec.exe
Token: SeImpersonatePrivilege	4952	msiexec.exe
Token: SeCreateGlobalPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	4952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4952	msiexec.exe
Token: SeLockMemoryPrivilege	4952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4952	msiexec.exe
4952	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2736	1004	msiexec.exe	88
PID 1004 wrote to memory of 2736	1004	msiexec.exe	88
PID 1004 wrote to memory of 2736	1004	msiexec.exe	88
PID 1004 wrote to memory of 1784	1004	msiexec.exe	110
PID 1004 wrote to memory of 1784	1004	msiexec.exe	110
PID 1004 wrote to memory of 4868	1004	msiexec.exe	114
PID 1004 wrote to memory of 4868	1004	msiexec.exe	114
PID 1004 wrote to memory of 4868	1004	msiexec.exe	114
PID 1004 wrote to memory of 1840	1004	msiexec.exe	115
PID 1004 wrote to memory of 1840	1004	msiexec.exe	115
PID 1004 wrote to memory of 1840	1004	msiexec.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RefreshRateService.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D4F6D3C1E5A720E2EC09FC842AEDE752 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7D086B7CDA02ED00BF4F9EF9BC1E8D4F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5D20FE068DA8516FCC5056A481EF57E0 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2092

C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe
"C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581a79.rbs

Filesize
12KB

MD5
0474c36cd4356e5af1063e0d0987d2f4

SHA1
22f8b987bfb07475ae4355b29b02ecb8db142b19

SHA256
a86c4c54396079db8b933d8967bbe4554452209ea1bd8520a4b9630086b70176

SHA512
14362a2878e68d4fd3562e45d27cd0fb1ed4b415cfc5e734f89cae4238c5bddc70fa4af6b7b2dc908a9700e071d93c8c57aba643785438c9263af2cb33ba9ad4

Download Submit
C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Extensions.DLL

Filesize
22KB

MD5
fe7479e7d2bebe9da4f89510edd2cb1f

SHA1
60e9f18072ccdd7b2cfcb745a8380dc5d45b109b

SHA256
13436192ae10716c0a02d8febff7af8353d675b70cc6d6afa4647427915af56a

SHA512
ea2b3c6a4ead496f521e0e681bd550083e1c1a643e1198b6c1c02b01b2ffa6ce03bc9ccfc5a5074e3be262ca42afce531515e67e61ffa98eaca4f2c1d2936d89

Download Submit
C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe

Filesize
39KB

MD5
b2a676117fbed1bcb9125a81ba779109

SHA1
83d1ffd8f45996c1df0b140fad5c4b60856c7c89

SHA256
10fb567c6dcc8c0cafc05cddcb1d65983f3e8025fb22aa6743f356da358f6c88

SHA512
27d0d010a1275c82f19f44abbe9cfba450fd065e673d7194dea6e37e52188ab535bf8722d2732d76f7cc83cb79b658918d1e231a4eaf2241ccd506c9eb62bf5e

Download Submit
C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Registry.dll

Filesize
27KB

MD5
fa2f215855bd88f58ac67d3c87427748

SHA1
d12c386fc083ca64e37f630adfd4ab32c8541bef

SHA256
0a340876978c1097c1a2750954ceb8be8cf01d1caa3dff02f2e54b9f2f727583

SHA512
63ac827a9550f433ba588a1426dcdd187c9dbc4fb971e22855da874cf6b04e9c703df5511a9069297926b2b89c4b23349a944e2bafbfac057d207748b37342dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
bab3ac8622c04930ddbb5ecc48d226a0

SHA1
d1fb0641a6abdc0735009e2795ef36872137217e

SHA256
95f1c554da12fe478e82b22d03174448a184e78fd7e7909463478bd73fa8453f

SHA512
643f32047550520b3f346ee17304481e69afe18af276d3b42ea1f1beef1623658d841d76ccc6187c0beaf3cb969d0ced8817b4f5353fda965fa84b3d61a545a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD

Filesize
4KB

MD5
94bf0bf032ce32469dd74f4f1f5320e6

SHA1
86bff704a2f82816f346a6a374250f35743de3b0

SHA256
54f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b

SHA512
ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
1KB

MD5
46bb305834dfa0f137360a14fb05991b

SHA1
b6d88fb79de3edaf08ce46574a8b2668fe83149f

SHA256
4bcecb91ff7c77d4bb2bafc1fd5d51102fd2e7d9df1979ee93623f6b20b20cae

SHA512
bd88722a9a04210c50104acc40c11fce290e8288e06c80e3e9c20a6ef09a8b2393cab54c21b107a9efc4b3271bdce5c7bb7df05ca0824ad8b31a6b81131f6d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_2626E0D3003A456BE647B6CAD9616268

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
37047b67c8ee86697853ab151df10443

SHA1
397199baba20922fbf9b2c49bfbd38d1a8ae0974

SHA256
9349aa9b66e9697c3a01cc62527e1f2ea3cfc423421d787efc5639780deae491

SHA512
9175c512dee2e4b373e15fc7482196d081fe47df9316a22ebfc8ada11725378d39e61a65090b648ad430e9006c3b911457e1e21d70eeb73ff8a1a0340d4a54ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD

Filesize
222B

MD5
47c88996f0f867163f45d0a20fa8f034

SHA1
6a9ad9a02d94633654006c56359c167e73977683

SHA256
ab734585cec16667ca4609328949dee501fec43f30c3afa3dec68e26effdc576

SHA512
82757412322798a8ee116f53d80fd8d868a99219e507edb57d3f89406d40b00109eb1d05a0aa6d0e08c2b7b666c838d50b9305767459addabde645c1c618c418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
498B

MD5
2d7a0e31b8b8b3430cb2ff255558899d

SHA1
b85c24d140348aeecad7ed085d025e1f1648a9b0

SHA256
4fd5eb639785c9ce2fd390644990f798694eb6ad01ad2acd0d524e92591a8a18

SHA512
f805308983d086345d0355e73c3eeff7b475b56a11b3a9600550badf0bfc9de7a93fb21033d509adcb8cc7e6980dd0b63fa9181d94996e63bfe9e0dc3c4a23c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_2626E0D3003A456BE647B6CAD9616268

Filesize
452B

MD5
9d911131700f9da20e8f96021d9e0a17

SHA1
b89e79a01ad45865256fb1f56816c02eb6137339

SHA256
f5a4a5f0c3f14bd2ca025d47b6778c8aadc6b6642027c8f3fab2d8373a6ae437

SHA512
1fc76b647c54211325709a19e1679b8350650f4af8c45e038638eec2e3babc61db5e66eb08b092fcb2eb7abd2735a698099140e5dd3d1afa312dedee1c44fd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG2093.tmp

Filesize
152B

MD5
df6640211847a5b71f62b8187994ea38

SHA1
07c26fac7b1d538464497e6ca47b6ca8b465b8ba

SHA256
7d5f1726f0d15597fdd0fbcf8c27fd2ce668d80ebc39ca56f569f06957d510fb

SHA512
5530133a0992e2e956e10edccf02672eb410381bcdb7a6f0d46a78a6206141c9e9e63f7462c4ed83ddd9a3bb2b1f59627dca1a0b18ce8c9aea436ea17938f75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C8E.tmp

Filesize
298KB

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit
C:\Windows\Installer\MSI2365.tmp

Filesize
114KB

MD5
fe01d395c4b85df8c426fc9620120ba8

SHA1
23348d42947a64efa5209b30e9b8a6264f4a990a

SHA256
4f10c0bd8d22e8215b02f092279abf7bb148cb1497207ec2ebab32662009b2ac

SHA512
d255211adb5fbf5cda875ad138abb064a7deedbed28f4e862df4fea962f84437c92a53dd18ed6d2098d0d9415d4a5ca80e39e9bc91b4382b01714d23f29615ea

Download Submit
C:\Windows\Installer\e581a78.msi

Filesize
966KB

MD5
c660910814201ced2a7c0560c008f8f4

SHA1
805b6a7d740b6e9bf12ffa750a33ab7e7bc54778

SHA256
c105e87b1f5d04a4e3818a3747a93a4f4936cd1688b49670a24b4b3e719f46fc

SHA512
bcab8b20a25de65f758574433d5ece69a5a02fdd3df6cb3ddef814f96c7cd132039ae73966d484189796389b939d5a6dcd28fcc754621a3c759328a21c54dda0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
90ed3ff28b1ac21016137b344cb03c10

SHA1
f762b620e27685bc58ffc0deddb8119b31da22a0

SHA256
5e6204db5807ceedfa58c5acbe85d2d75ad716bac7b02c38628f19a41b8e7a85

SHA512
4437706650c021fc69ee3f865151fde1d3db0b3ac9dc5e9e26f81142f90403e438c9b71f49c5e19e8193a33296f72fbd8496ec2e6155fc7d3e64fd7ba19c0d73

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a1e6bc9e-f165-439c-bebe-58fdec698378}_OnDiskSnapshotProp

Filesize
6KB

MD5
0dd6141bea738ab57105aaf006a65691

SHA1
09a0b0e702fbc3a122371351b0de2d988d7d1faa

SHA256
0d63219a40987ff12f4bb4129d5a48080334d433e9403cec2c161bc9bde75da6

SHA512
21e0cfe7f6a2032dc56753966e72bd0f3f2d25e6fb87adce217d5bfe0281b79444ebac38e5800550219b2256137524f4a6a0f8aef0a67161aba45cde8a8eb84c

Download Submit
memory/1840-99-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1840-87-0x0000000003160000-0x000000000317A000-memory.dmp

Filesize
104KB

Download
memory/1840-94-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/1840-101-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/1840-93-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/1840-92-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/1840-91-0x00000000052F0000-0x00000000052FE000-memory.dmp

Filesize
56KB

Download
memory/5096-104-0x0000000001AA0000-0x0000000001AAA000-memory.dmp

Filesize
40KB

Download
memory/5096-108-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download